From b55e65980ab44c7e0e0999b79bec8c06240489d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20L=C3=B3pez?= <graulopezjavier@gmail.com>
Date: Mon, 21 Mar 2022 22:40:24 -0500
Subject: [PATCH] fix(ci): provide necessary permissions for calling workflow

Also error on the side of security adding an extra check on the
automatic PR step.
---
 .github/workflows/api-docs-check.yml | 3 +++
 .github/workflows/api-docs.yml       | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/api-docs-check.yml b/.github/workflows/api-docs-check.yml
index 8ae6e6ff92..bcbc631172 100644
--- a/.github/workflows/api-docs-check.yml
+++ b/.github/workflows/api-docs-check.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   call-regen-api-docs:
     if: github.event.pull_request.draft == false
+    permissions:
+      contents: write
+      pull-requests: write
     uses: ./.github/workflows/api-docs.yml
     with:
       check_only: true
diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml
index 36ac087c4a..7550af6fef 100644
--- a/.github/workflows/api-docs.yml
+++ b/.github/workflows/api-docs.yml
@@ -60,7 +60,7 @@ jobs:
           exit 1
 
       - name: Automatic PR
-        if: ${{ steps.docs.outputs.UPDATED_DOCS != 0 }}
+        if: ${{ steps.docs.outputs.UPDATED_DOCS != 0 && !inputs.check_only }}
         run: |
           git add -u
           git commit -m 'docs: regenerate [skip ci]'